diff options
| author | Daniil Baturin <daniil@baturin.org> | 2018-03-16 06:19:07 +0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-16 06:19:07 +0700 |
| commit | ce9af44139520d8a0f1f3e25cfe06e68e48f8cea (patch) | |
| tree | cc6b0a7c249e97af7e42cd026a2ef5dd04e0e80d | |
| parent | 98d47b93bbac7abcc26f073329d4f1180deb47c1 (diff) | |
| parent | 1d21300885e606ec9e8da2b9a9b7af898d896a24 (diff) | |
| download | vyatta-cfg-firewall-ce9af44139520d8a0f1f3e25cfe06e68e48f8cea.tar.gz vyatta-cfg-firewall-ce9af44139520d8a0f1f3e25cfe06e68e48f8cea.zip | |
Merge pull request #8 from mtudosoiu/current
Task T35 place ipv6 groups under global group config tree
16 files changed, 23 insertions, 17 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index e293240..cee7935 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -471,7 +471,7 @@ sub get_firewall_references { my @fw_refs = (); return @fw_refs if !$self->exists(); my $config = new Vyatta::Config; - foreach my $tree ('name', 'modify') { + foreach my $tree ('name', 'ipv6-name', 'modify') { my $path = "firewall $tree "; $config->setLevel($path); my @names = $config->$lfunc(); diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index f18237d..0f7f731 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -252,7 +252,7 @@ sub ipset_is_group_defined { die "Error: undefined set_type\n" if ! defined $set_type; die "Error: undefined set_family\n" if ! defined $set_family; - my $gpath = ($set_family eq 'inet') ? "firewall ipv6-group $set_type-group" : "firewall group $set_type-group"; + my $gpath = ($set_family eq 'inet') ? "firewall group ipv6-$set_type-group" : "firewall group $set_type-group"; my @groups = $cfg->listOrigNodes($gpath); my $group; foreach $group (@groups) { @@ -267,7 +267,7 @@ sub update_set { my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall ipv6-group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall group ipv6-$set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def index b61f784..20e4430 100644 --- a/templates/firewall/ipv6-group/address-group/node.def +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall address-group +help: Firewall ipv6-address-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" @@ -21,5 +21,5 @@ syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defi end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ --set-name="$VAR(@)" --set-type=address --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-address-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def index ba944e6..5bd948b 100644 --- a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -3,4 +3,7 @@ type: txt help: Address-group member val_help: ipv6; IPv6 address to match +syntax:expression: pattern $VAR(@) "^[^|;&$<>/]*$" ; \ + "Error [$VAR(@)] isn't valid IPv6 host address" + syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/group/ipv6-address-group/node.tag/description/node.def b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def new file mode 100644 index 0000000..f630483 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description
\ No newline at end of file diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def index 90383c2..084fdb0 100644 --- a/templates/firewall/ipv6-group/network-group/node.def +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall network-group +help: Firewall ipv6-network-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=network --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ --set-name="$VAR(@)" --set-type=network --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-network-group $VAR(@)" fi diff --git a/templates/firewall/group/ipv6-network-group/node.tag/description/node.def b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def new file mode 100644 index 0000000..cc905df --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6-network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def index 879a164..879a164 100644 --- a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index ed9810d..14b8366 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -16,7 +16,7 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ - --set-type=address --set-family=inet"; \ + --set-type=network --set-family=inet"; \ "Firewall group name already used as Ipv6 group address" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def deleted file mode 100644 index 032553a..0000000 --- a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def deleted file mode 100644 index 52bb8e4..0000000 --- a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Network-group description diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def deleted file mode 100644 index 3c87f34..0000000 --- a/templates/firewall/ipv6-group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: IPv6 Firewall group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def index 71a4326..961663c 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def index 63f0540..9323938 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group |